By locking itself in the recent apps list, the malware ensures persistence across device reboots.PromptSpy also abuses Accessibility Services to prevent removal. ESET researchers explained, “When the user attempts to uninstall the payload or disable Accessibility Services, the malware overlays transparent rectangles on specific screen areas – particularly over buttons containing substrings like stop, end, clear, and Uninstall. These overlays are invisible to the user but intercept interactions, making removal difficult.”“Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally,” the researchers added.ESET noted that it has not seen infections in the wild and PromptSpy may be a proof of concept, similar to thePromptLockransomware detailed by the company last year.However, the security firm has seen a domain that appears to be designed to deliver the malware to users in Argentina.Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor.Related:New Keenadu Android Malware Found on Thousands of DevicesRelated:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
PromptSpy also abuses Accessibility Services to prevent removal. ESET researchers explained, “When the user attempts to uninstall the payload or disable Accessibility Services, the malware overlays transparent rectangles on specific screen areas – particularly over buttons containing substrings like stop, end, clear, and Uninstall. These overlays are invisible to the user but intercept interactions, making removal difficult.”“Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally,” the researchers added.ESET noted that it has not seen infections in the wild and PromptSpy may be a proof of concept, similar to thePromptLockransomware detailed by the company last year.However, the security firm has seen a domain that appears to be designed to deliver the malware to users in Argentina.Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor.Related:New Keenadu Android Malware Found on Thousands of DevicesRelated:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
“Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third‑party apps are disabled and can be uninstalled normally,” the researchers added.ESET noted that it has not seen infections in the wild and PromptSpy may be a proof of concept, similar to thePromptLockransomware detailed by the company last year.However, the security firm has seen a domain that appears to be designed to deliver the malware to users in Argentina.Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor.Related:New Keenadu Android Malware Found on Thousands of DevicesRelated:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
ESET noted that it has not seen infections in the wild and PromptSpy may be a proof of concept, similar to thePromptLockransomware detailed by the company last year.However, the security firm has seen a domain that appears to be designed to deliver the malware to users in Argentina.Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor.Related:New Keenadu Android Malware Found on Thousands of DevicesRelated:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
However, the security firm has seen a domain that appears to be designed to deliver the malware to users in Argentina.Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor.Related:New Keenadu Android Malware Found on Thousands of DevicesRelated:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
Evidence indicates that PromptSpy has been created by Chinese developers. ESET made this attribution with medium confidence and the company has not linked the Android malware to any threat actor.Related:New Keenadu Android Malware Found on Thousands of DevicesRelated:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
Related:New Keenadu Android Malware Found on Thousands of DevicesRelated:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
Related:Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App SecurityRelated:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
Related:New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
Eduard Kovacs (@EduardKovacs) is the managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Source: SecurityWeek
